tuxmain/rust-rpxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: change mod name

Browse source
This commit is contained in:
Jun Kurihara 2023-11-28 18:11:37 +09:00
commit f020ece60d
No known key found for this signature in database
GPG key ID: D992B3E3DE1DED23
12 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

61
rpxy-lib/src/message_handler/canonical_address.rs Normal file
View file

@ -0,0 +1,61 @@
use std::net::{IpAddr, Ipv4Addr, SocketAddr};
/// Trait to convert an IP address to its canonical form
pub trait ToCanonical {
fn to_canonical(&self) -> Self;
}
impl ToCanonical for SocketAddr {
fn to_canonical(&self) -> Self {
match self {
SocketAddr::V4(_) => *self,
SocketAddr::V6(v6) => match v6.ip().to_ipv4() {
Some(mapped) => {
if mapped == Ipv4Addr::new(0, 0, 0, 1) {
*self
} else {
SocketAddr::new(IpAddr::V4(mapped), self.port())
}
}
None => *self,
},
}
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::net::Ipv6Addr;
#[test]
fn ipv4_loopback_to_canonical() {
let socket = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 8080);
assert_eq!(socket.to_canonical(), socket);
}
#[test]
fn ipv6_loopback_to_canonical() {
let socket = SocketAddr::new(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)), 8080);
assert_eq!(socket.to_canonical(), socket);
}
#[test]
fn ipv4_to_canonical() {
let socket = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1)), 8080);
assert_eq!(socket.to_canonical(), socket);
}
#[test]
fn ipv6_to_canonical() {
let socket = SocketAddr::new(
IpAddr::V6(Ipv6Addr::new(0x2001, 0x0db8, 0, 0, 0, 0, 0xdead, 0xbeef)),
8080,
);
assert_eq!(socket.to_canonical(), socket);
}
#[test]
fn ipv4_mapped_to_ipv6_to_canonical() {
let socket = SocketAddr::new(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0xffff, 0xc00a, 0x2ff)), 8080);
assert_eq!(
socket.to_canonical(),
SocketAddr::new(IpAddr::V4(Ipv4Addr::new(192, 10, 2, 255)), 8080)
);
}
}

253
rpxy-lib/src/message_handler/handler_main.rs Normal file
View file

@ -0,0 +1,253 @@
use super::{
http_log::HttpMessageLog,
http_result::{HttpError, HttpResult},
synthetic_response::{secure_redirection_response, synthetic_error_response},
utils_headers::*,
utils_request::InspectParseHost,
};
use crate::{
backend::{BackendAppManager, LoadBalanceContext},
crypto::CryptoSource,
error::*,
globals::Globals,
hyper_ext::body::{BoxBody, IncomingLike, IncomingOr},
log::*,
name_exp::ServerName,
};
use derive_builder::Builder;
use http::{Request, Response, StatusCode};
use hyper_util::rt::TokioIo;
use std::{net::SocketAddr, sync::Arc};
use tokio::io::copy_bidirectional;
#[allow(dead_code)]
#[derive(Debug)]
/// Context object to handle sticky cookies at HTTP message handler
pub(super) struct HandlerContext {
#[cfg(feature = "sticky-cookie")]
pub(super) context_lb: Option<LoadBalanceContext>,
#[cfg(not(feature = "sticky-cookie"))]
pub(super) context_lb: Option<()>,
}
#[derive(Clone, Builder)]
/// HTTP message handler for requests from clients and responses from backend applications,
/// responsible to manipulate and forward messages to upstream backends and downstream clients.
// pub struct HttpMessageHandler<T, U>
pub struct HttpMessageHandler<U>
where
// T: Connect + Clone + Sync + Send + 'static,
U: CryptoSource + Clone,
{
// forwarder: Arc<Forwarder<T>>,
pub(super) globals: Arc<Globals>,
app_manager: Arc<BackendAppManager<U>>,
}
impl<U> HttpMessageHandler<U>
where
// T: Connect + Clone + Sync + Send + 'static,
U: CryptoSource + Clone,
{
/// Handle incoming request message from a client.
/// Responsible to passthrough responses from backend applications or generate synthetic error responses.
pub async fn handle_request(
&self,
req: Request<IncomingOr<IncomingLike>>,
client_addr: SocketAddr, // For access control
listen_addr: SocketAddr,
tls_enabled: bool,
tls_server_name: Option<ServerName>,
) -> RpxyResult<Response<IncomingOr<BoxBody>>> {
// preparing log data
let mut log_data = HttpMessageLog::from(&req);
log_data.client_addr(&client_addr);
let http_result = self
.handle_request_inner(
&mut log_data,
req,
client_addr,
listen_addr,
tls_enabled,
tls_server_name,
)
.await;
// passthrough or synthetic response
match http_result {
Ok(v) => {
log_data.status_code(&v.status()).output();
Ok(v)
}
Err(e) => {
debug!("{e}");
let code = StatusCode::from(e);
log_data.status_code(&code).output();
synthetic_error_response(code)
}
}
}
/// Handle inner with no synthetic error response.
/// Synthetic response is generated by caller.
async fn handle_request_inner(
&self,
log_data: &mut HttpMessageLog,
mut req: Request<IncomingOr<IncomingLike>>,
client_addr: SocketAddr, // For access control
listen_addr: SocketAddr,
tls_enabled: bool,
tls_server_name: Option<ServerName>,
) -> HttpResult<Response<IncomingOr<BoxBody>>> {
// Here we start to inspect and parse with server_name
let server_name = req
.inspect_parse_host()
.map(|v| ServerName::from(v.as_slice()))
.map_err(|_e| HttpError::InvalidHostInRequestHeader)?;
// check consistency of between TLS SNI and HOST/Request URI Line.
#[allow(clippy::collapsible_if)]
if tls_enabled && self.globals.proxy_config.sni_consistency {
if server_name != tls_server_name.unwrap_or_default() {
return Err(HttpError::SniHostInconsistency);
}
}
// Find backend application for given server_name, and drop if incoming request is invalid as request.
let backend_app = match self.app_manager.apps.get(&server_name) {
Some(backend_app) => backend_app,
None => {
let Some(default_server_name) = &self.app_manager.default_server_name else {
return Err(HttpError::NoMatchingBackendApp);
};
debug!("Serving by default app");
self.app_manager.apps.get(default_server_name).unwrap()
}
};
// Redirect to https if !tls_enabled and redirect_to_https is true
if !tls_enabled && backend_app.https_redirection.unwrap_or(false) {
debug!(
"Redirect to secure connection: {}",
<&ServerName as TryInto<String>>::try_into(&backend_app.server_name).unwrap_or_default()
);
return secure_redirection_response(&backend_app.server_name, self.globals.proxy_config.https_port, &req);
}
// Find reverse proxy for given path and choose one of upstream host
// Longest prefix match
let path = req.uri().path();
let Some(upstream_candidates) = backend_app.path_manager.get(path) else {
return Err(HttpError::NoUpstreamCandidates);
};
// Upgrade in request header
let upgrade_in_request = extract_upgrade(req.headers());
let request_upgraded = req.extensions_mut().remove::<hyper::upgrade::OnUpgrade>();
// Build request from destination information
let _context = match self.generate_request_forwarded(
&client_addr,
&listen_addr,
&mut req,
&upgrade_in_request,
upstream_candidates,
tls_enabled,
) {
Err(e) => {
error!("Failed to generate upstream request for backend application: {}", e);
return Err(HttpError::FailedToGenerateUpstreamRequest(e.to_string()));
}
Ok(v) => v,
};
debug!(
"Request to be forwarded: uri {}, version {:?}, headers {:?}",
req.uri(),
req.version(),
req.headers()
);
log_data.xff(&req.headers().get("x-forwarded-for"));
log_data.upstream(req.uri());
//////
//////////////
// // TODO: remove later
let body = crate::hyper_ext::body::full(hyper::body::Bytes::from("not yet implemented"));
let mut res_backend = super::synthetic_response::synthetic_response(Response::builder().body(body).unwrap());
// // Forward request to a chosen backend
// let mut res_backend = {
// let Ok(result) = timeout(self.globals.proxy_config.upstream_timeout, self.forwarder.request(req)).await else {
// return self.return_with_error_log(StatusCode::GATEWAY_TIMEOUT, &mut log_data);
// };
// match result {
// Ok(res) => res,
// Err(e) => {
// error!("Failed to get response from backend: {}", e);
// return self.return_with_error_log(StatusCode::SERVICE_UNAVAILABLE, &mut log_data);
// }
// }
// };
//////////////
// Process reverse proxy context generated during the forwarding request generation.
#[cfg(feature = "sticky-cookie")]
if let Some(context_from_lb) = _context.context_lb {
let res_headers = res_backend.headers_mut();
if let Err(e) = set_sticky_cookie_lb_context(res_headers, &context_from_lb) {
error!("Failed to append context to the response given from backend: {}", e);
return Err(HttpError::FailedToAddSetCookeInResponse);
}
}
if res_backend.status() != StatusCode::SWITCHING_PROTOCOLS {
// Generate response to client
if let Err(e) = self.generate_response_forwarded(&mut res_backend, backend_app) {
error!("Failed to generate downstream response for clients: {}", e);
return Err(HttpError::FailedToGenerateDownstreamResponse(e.to_string()));
}
return Ok(res_backend);
}
// Handle StatusCode::SWITCHING_PROTOCOLS in response
let upgrade_in_response = extract_upgrade(res_backend.headers());
let should_upgrade = match (upgrade_in_request.as_ref(), upgrade_in_response.as_ref()) {
(Some(u_req), Some(u_res)) => u_req.to_ascii_lowercase() == u_res.to_ascii_lowercase(),
_ => false,
};
if !should_upgrade {
error!(
"Backend tried to switch to protocol {:?} when {:?} was requested",
upgrade_in_response, upgrade_in_request
);
return Err(HttpError::FailedToUpgrade);
}
let Some(request_upgraded) = request_upgraded else {
error!("Request does not have an upgrade extension");
return Err(HttpError::NoUpgradeExtensionInRequest);
};
let Some(onupgrade) = res_backend.extensions_mut().remove::<hyper::upgrade::OnUpgrade>() else {
error!("Response does not have an upgrade extension");
return Err(HttpError::NoUpgradeExtensionInResponse);
};
self.globals.runtime_handle.spawn(async move {
let mut response_upgraded = TokioIo::new(onupgrade.await.map_err(|e| {
error!("Failed to upgrade response: {}", e);
RpxyError::FailedToUpgradeResponse(e.to_string())
})?);
let mut request_upgraded = TokioIo::new(request_upgraded.await.map_err(|e| {
error!("Failed to upgrade request: {}", e);
RpxyError::FailedToUpgradeRequest(e.to_string())
})?);
copy_bidirectional(&mut response_upgraded, &mut request_upgraded)
.await
.map_err(|e| {
error!("Coping between upgraded connections failed: {}", e);
RpxyError::FailedToCopyBidirectional(e.to_string())
})?;
Ok(()) as RpxyResult<()>
});
Ok(res_backend)
}
}

195
rpxy-lib/src/message_handler/handler_manipulate_messages.rs Normal file
View file

@ -0,0 +1,195 @@
use super::{
handler_main::HandlerContext, utils_headers::*, utils_request::apply_upstream_options_to_request_line,
HttpMessageHandler,
};
use crate::{
backend::{BackendApp, UpstreamCandidates},
constants::RESPONSE_HEADER_SERVER,
log::*,
CryptoSource,
};
use anyhow::{anyhow, ensure, Result};
use http::{header, uri::Scheme, HeaderValue, Request, Response, Uri, Version};
use std::net::SocketAddr;
impl<U> HttpMessageHandler<U>
where
U: CryptoSource + Clone,
{
////////////////////////////////////////////////////
// Functions to generate messages
////////////////////////////////////////////////////
/// Manipulate a response message sent from a backend application to forward downstream to a client.
pub(super) fn generate_response_forwarded<B>(
&self,
response: &mut Response<B>,
backend_app: &BackendApp<U>,
) -> Result<()> {
let headers = response.headers_mut();
remove_connection_header(headers);
remove_hop_header(headers);
add_header_entry_overwrite_if_exist(headers, "server", RESPONSE_HEADER_SERVER)?;
#[cfg(any(feature = "http3-quinn", feature = "http3-s2n"))]
{
// Manipulate ALT_SVC allowing h3 in response message only when mutual TLS is not enabled
// TODO: This is a workaround for avoiding a client authentication in HTTP/3
if self.globals.proxy_config.http3 && backend_app.crypto_source.as_ref().is_some_and(|v| !v.is_mutual_tls()) {
if let Some(port) = self.globals.proxy_config.https_port {
add_header_entry_overwrite_if_exist(
headers,
header::ALT_SVC.as_str(),
format!(
"h3=\":{}\"; ma={}, h3-29=\":{}\"; ma={}",
port, self.globals.proxy_config.h3_alt_svc_max_age, port, self.globals.proxy_config.h3_alt_svc_max_age
),
)?;
}
} else {
// remove alt-svc to disallow requests via http3
headers.remove(header::ALT_SVC.as_str());
}
}
#[cfg(not(any(feature = "http3-quinn", feature = "http3-s2n")))]
{
if self.globals.proxy_config.https_port.is_some() {
headers.remove(header::ALT_SVC.as_str());
}
}
Ok(())
}
#[allow(clippy::too_many_arguments)]
/// Manipulate a request message sent from a client to forward upstream to a backend application
pub(super) fn generate_request_forwarded<B>(
&self,
client_addr: &SocketAddr,
listen_addr: &SocketAddr,
req: &mut Request<B>,
upgrade: &Option<String>,
upstream_candidates: &UpstreamCandidates,
tls_enabled: bool,
) -> Result<HandlerContext> {
debug!("Generate request to be forwarded");
// Add te: trailer if contained in original request
let contains_te_trailers = {
if let Some(te) = req.headers().get(header::TE) {
te.as_bytes()
.split(|v| v == &b',' || v == &b' ')
.any(|x| x == "trailers".as_bytes())
} else {
false
}
};
let uri = req.uri().to_string();
let headers = req.headers_mut();
// delete headers specified in header.connection
remove_connection_header(headers);
// delete hop headers including header.connection
remove_hop_header(headers);
// X-Forwarded-For
add_forwarding_header(headers, client_addr, listen_addr, tls_enabled, &uri)?;
// Add te: trailer if te_trailer
if contains_te_trailers {
headers.insert(header::TE, HeaderValue::from_bytes("trailers".as_bytes()).unwrap());
}
// add "host" header of original server_name if not exist (default)
if req.headers().get(header::HOST).is_none() {
let org_host = req.uri().host().ok_or_else(|| anyhow!("Invalid request"))?.to_owned();
req
.headers_mut()
.insert(header::HOST, HeaderValue::from_str(&org_host)?);
};
/////////////////////////////////////////////
// Fix unique upstream destination since there could be multiple ones.
#[cfg(feature = "sticky-cookie")]
let (upstream_chosen_opt, context_from_lb) = {
let context_to_lb = if let crate::backend::LoadBalance::StickyRoundRobin(lb) = &upstream_candidates.load_balance {
takeout_sticky_cookie_lb_context(req.headers_mut(), &lb.sticky_config.name)?
} else {
None
};
upstream_candidates.get(&context_to_lb)
};
#[cfg(not(feature = "sticky-cookie"))]
let (upstream_chosen_opt, _) = upstream_candidates.get(&None);
let upstream_chosen = upstream_chosen_opt.ok_or_else(|| anyhow!("Failed to get upstream"))?;
let context = HandlerContext {
#[cfg(feature = "sticky-cookie")]
context_lb: context_from_lb,
#[cfg(not(feature = "sticky-cookie"))]
context_lb: None,
};
/////////////////////////////////////////////
// apply upstream-specific headers given in upstream_option
let headers = req.headers_mut();
// by default, host header is overwritten with upstream hostname
override_host_header(headers, &upstream_chosen.uri)?;
// apply upstream options to header
apply_upstream_options_to_header(headers, upstream_candidates)?;
// update uri in request
ensure!(
upstream_chosen.uri.authority().is_some() && upstream_chosen.uri.scheme().is_some(),
"Upstream uri `scheme` and `authority` is broken"
);
let new_uri = Uri::builder()
.scheme(upstream_chosen.uri.scheme().unwrap().as_str())
.authority(upstream_chosen.uri.authority().unwrap().as_str());
let org_pq = match req.uri().path_and_query() {
Some(pq) => pq.to_string(),
None => "/".to_string(),
}
.into_bytes();
// replace some parts of path if opt_replace_path is enabled for chosen upstream
let new_pq = match &upstream_candidates.replace_path {
Some(new_path) => {
let matched_path: &[u8] = upstream_candidates.path.as_ref();
ensure!(
!matched_path.is_empty() && org_pq.len() >= matched_path.len(),
"Upstream uri `path and query` is broken"
);
let mut new_pq = Vec::<u8>::with_capacity(org_pq.len() - matched_path.len() + new_path.len());
new_pq.extend_from_slice(new_path.as_ref());
new_pq.extend_from_slice(&org_pq[matched_path.len()..]);
new_pq
}
None => org_pq,
};
*req.uri_mut() = new_uri.path_and_query(new_pq).build()?;
// upgrade
if let Some(v) = upgrade {
req.headers_mut().insert(header::UPGRADE, v.parse()?);
req
.headers_mut()
.insert(header::CONNECTION, HeaderValue::from_static("upgrade"));
}
// If not specified (force_httpXX_upstream) and https, version is preserved except for http/3
if upstream_chosen.uri.scheme() == Some(&Scheme::HTTP) {
// Change version to http/1.1 when destination scheme is http
debug!("Change version to http/1.1 when destination scheme is http unless upstream option enabled.");
*req.version_mut() = Version::HTTP_11;
} else if req.version() == Version::HTTP_3 {
// HTTP/3 is always https
debug!("HTTP/3 is currently unsupported for request to upstream.");
*req.version_mut() = Version::HTTP_2;
}
apply_upstream_options_to_request_line(req, upstream_candidates)?;
Ok(context)
}
}

99
rpxy-lib/src/message_handler/http_log.rs Normal file
View file

@ -0,0 +1,99 @@
use super::canonical_address::ToCanonical;
use crate::log::*;
use http::header;
use std::net::SocketAddr;
/// Struct to log HTTP messages
#[derive(Debug, Clone)]
pub struct HttpMessageLog {
// pub tls_server_name: String,
pub client_addr: String,
pub method: String,
pub host: String,
pub p_and_q: String,
pub version: http::Version,
pub uri_scheme: String,
pub uri_host: String,
pub ua: String,
pub xff: String,
pub status: String,
pub upstream: String,
}
impl<T> From<&http::Request<T>> for HttpMessageLog {
fn from(req: &http::Request<T>) -> Self {
let header_mapper = |v: header::HeaderName| {
req
.headers()
.get(v)
.map_or_else(|| "", |s| s.to_str().unwrap_or(""))
.to_string()
};
Self {
// tls_server_name: "".to_string(),
client_addr: "".to_string(),
method: req.method().to_string(),
host: header_mapper(header::HOST),
p_and_q: req
.uri()
.path_and_query()
.map_or_else(|| "", |v| v.as_str())
.to_string(),
version: req.version(),
uri_scheme: req.uri().scheme_str().unwrap_or("").to_string(),
uri_host: req.uri().host().unwrap_or("").to_string(),
ua: header_mapper(header::USER_AGENT),
xff: header_mapper(header::HeaderName::from_static("x-forwarded-for")),
status: "".to_string(),
upstream: "".to_string(),
}
}
}
impl HttpMessageLog {
pub fn client_addr(&mut self, client_addr: &SocketAddr) -> &mut Self {
self.client_addr = client_addr.to_canonical().to_string();
self
}
// pub fn tls_server_name(&mut self, tls_server_name: &str) -> &mut Self {
// self.tls_server_name = tls_server_name.to_string();
// self
// }
pub fn status_code(&mut self, status_code: &http::StatusCode) -> &mut Self {
self.status = status_code.to_string();
self
}
pub fn xff(&mut self, xff: &Option<&header::HeaderValue>) -> &mut Self {
self.xff = xff.map_or_else(|| "", |v| v.to_str().unwrap_or("")).to_string();
self
}
pub fn upstream(&mut self, upstream: &http::Uri) -> &mut Self {
self.upstream = upstream.to_string();
self
}
pub fn output(&self) {
info!(
"{} <- {} -- {} {} {:?} -- {} -- {} \"{}\", \"{}\" \"{}\"",
if !self.host.is_empty() {
self.host.as_str()
} else {
self.uri_host.as_str()
},
self.client_addr,
self.method,
self.p_and_q,
self.version,
self.status,
if !self.uri_scheme.is_empty() && !self.uri_host.is_empty() {
format!("{}://{}", self.uri_scheme, self.uri_host)
} else {
"".to_string()
},
self.ua,
self.xff,
self.upstream,
// self.tls_server_name
);
}
}

60
rpxy-lib/src/message_handler/http_result.rs Normal file
View file

@ -0,0 +1,60 @@
use http::StatusCode;
use thiserror::Error;
/// HTTP result type, T is typically a hyper::Response
/// HttpError is used to generate a synthetic error response
pub(crate) type HttpResult<T> = std::result::Result<T, HttpError>;
/// Describes things that can go wrong in the forwarder
#[derive(Debug, Error)]
pub enum HttpError {
#[error("No host is give nin request header")]
NoHostInRequestHeader,
#[error("Invalid host in request header")]
InvalidHostInRequestHeader,
#[error("SNI and Host header mismatch")]
SniHostInconsistency,
#[error("No matching backend app")]
NoMatchingBackendApp,
#[error("Failed to redirect: {0}")]
FailedToRedirect(String),
#[error("No upstream candidates")]
NoUpstreamCandidates,
#[error("Failed to generate upstream request: {0}")]
FailedToGenerateUpstreamRequest(String),
#[error("Failed to add set-cookie header in response")]
FailedToAddSetCookeInResponse,
#[error("Failed to generated downstream response: {0}")]
FailedToGenerateDownstreamResponse(String),
#[error("Failed to upgrade connection")]
FailedToUpgrade,
#[error("Request does not have an upgrade extension")]
NoUpgradeExtensionInRequest,
#[error("Response does not have an upgrade extension")]
NoUpgradeExtensionInResponse,
#[error(transparent)]
Other(#[from] anyhow::Error),
}
impl From<HttpError> for StatusCode {
fn from(e: HttpError) -> StatusCode {
match e {
HttpError::NoHostInRequestHeader => StatusCode::BAD_REQUEST,
HttpError::InvalidHostInRequestHeader => StatusCode::BAD_REQUEST,
HttpError::SniHostInconsistency => StatusCode::MISDIRECTED_REQUEST,
HttpError::NoMatchingBackendApp => StatusCode::SERVICE_UNAVAILABLE,
HttpError::FailedToRedirect(_) => StatusCode::INTERNAL_SERVER_ERROR,
HttpError::NoUpstreamCandidates => StatusCode::NOT_FOUND,
HttpError::FailedToGenerateUpstreamRequest(_) => StatusCode::INTERNAL_SERVER_ERROR,
HttpError::FailedToAddSetCookeInResponse => StatusCode::INTERNAL_SERVER_ERROR,
HttpError::FailedToGenerateDownstreamResponse(_) => StatusCode::INTERNAL_SERVER_ERROR,
HttpError::FailedToUpgrade => StatusCode::INTERNAL_SERVER_ERROR,
HttpError::NoUpgradeExtensionInRequest => StatusCode::BAD_REQUEST,
HttpError::NoUpgradeExtensionInResponse => StatusCode::BAD_GATEWAY,
_ => StatusCode::INTERNAL_SERVER_ERROR,
}
}
}

11
rpxy-lib/src/message_handler/mod.rs Normal file
View file

@ -0,0 +1,11 @@
mod canonical_address;
mod handler_main;
mod handler_manipulate_messages;
mod http_log;
mod http_result;
mod synthetic_response;
mod utils_headers;
mod utils_request;
pub use handler_main::HttpMessageHandlerBuilderError;
pub(crate) use handler_main::{HttpMessageHandler, HttpMessageHandlerBuilder};

57
rpxy-lib/src/message_handler/synthetic_response.rs Normal file
View file

@ -0,0 +1,57 @@
use crate::{
error::*,
hyper_ext::body::{empty, BoxBody, IncomingOr},
name_exp::ServerName,
};
use http::{Request, Response, StatusCode, Uri};
use hyper::body::Incoming;
use super::http_result::{HttpError, HttpResult};
/// helper function to build http response with passthrough body
pub(crate) fn passthrough_response<B>(response: Response<Incoming>) -> Response<IncomingOr<B>>
where
B: hyper::body::Body,
{
response.map(IncomingOr::Left)
}
/// helper function to build http response with synthetic body
pub(crate) fn synthetic_response<B>(response: Response<B>) -> Response<IncomingOr<B>> {
response.map(IncomingOr::Right)
}
/// build http response with status code of 4xx and 5xx
pub(crate) fn synthetic_error_response(status_code: StatusCode) -> RpxyResult<Response<IncomingOr<BoxBody>>> {
let res = Response::builder()
.status(status_code)
.body(IncomingOr::Right(empty()))
.unwrap();
Ok(res)
}
/// Generate synthetic response message of a redirection to https host with 301
pub(super) fn secure_redirection_response<B>(
server_name: &ServerName,
tls_port: Option<u16>,
req: &Request<B>,
) -> HttpResult<Response<IncomingOr<BoxBody>>> {
let server_name: String = server_name.try_into().unwrap_or_default();
let pq = match req.uri().path_and_query() {
Some(x) => x.as_str(),
_ => "",
};
let new_uri = Uri::builder().scheme("https").path_and_query(pq);
let dest_uri = match tls_port {
Some(443) | None => new_uri.authority(server_name),
Some(p) => new_uri.authority(format!("{server_name}:{p}")),
}
.build()
.map_err(|e| HttpError::FailedToRedirect(e.to_string()))?;
let response = Response::builder()
.status(StatusCode::MOVED_PERMANENTLY)
.header("Location", dest_uri.to_string())
.body(IncomingOr::Right(empty()))
.map_err(|e| HttpError::FailedToRedirect(e.to_string()))?;
Ok(response)
}

292
rpxy-lib/src/message_handler/utils_headers.rs Normal file
View file

@ -0,0 +1,292 @@
use super::canonical_address::ToCanonical;
use crate::{
backend::{UpstreamCandidates, UpstreamOption},
log::*,
};
use anyhow::{anyhow, ensure, Result};
use bytes::BufMut;
use http::{header, HeaderMap, HeaderName, HeaderValue, Uri};
use std::{borrow::Cow, net::SocketAddr};
#[cfg(feature = "sticky-cookie")]
use crate::backend::{LoadBalanceContext, StickyCookie, StickyCookieValue};
// use crate::backend::{UpstreamGroup, UpstreamOption};
// ////////////////////////////////////////////////////
// // Functions to manipulate headers
#[cfg(feature = "sticky-cookie")]
/// Take sticky cookie header value from request header,
/// and returns LoadBalanceContext to be forwarded to LB if exist and if needed.
/// Removing sticky cookie is needed and it must not be passed to the upstream.
pub(super) fn takeout_sticky_cookie_lb_context(
headers: &mut HeaderMap,
expected_cookie_name: &str,
) -> Result<Option<LoadBalanceContext>> {
let mut headers_clone = headers.clone();
match headers_clone.entry(header::COOKIE) {
header::Entry::Vacant(_) => Ok(None),
header::Entry::Occupied(entry) => {
let cookies_iter = entry
.iter()
.flat_map(|v| v.to_str().unwrap_or("").split(';').map(|v| v.trim()));
let (sticky_cookies, without_sticky_cookies): (Vec<_>, Vec<_>) = cookies_iter
.into_iter()
.partition(|v| v.starts_with(expected_cookie_name));
if sticky_cookies.is_empty() {
return Ok(None);
}
ensure!(
sticky_cookies.len() == 1,
"Invalid cookie: Multiple sticky cookie values"
);
let cookies_passed_to_upstream = without_sticky_cookies.join("; ");
let cookie_passed_to_lb = sticky_cookies.first().unwrap();
headers.remove(header::COOKIE);
headers.insert(header::COOKIE, cookies_passed_to_upstream.parse()?);
let sticky_cookie = StickyCookie {
value: StickyCookieValue::try_from(cookie_passed_to_lb, expected_cookie_name)?,
info: None,
};
Ok(Some(LoadBalanceContext { sticky_cookie }))
}
}
}
#[cfg(feature = "sticky-cookie")]
/// Set-Cookie if LB Sticky is enabled and if cookie is newly created/updated.
/// Set-Cookie response header could be in multiple lines.
/// https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/Set-Cookie
pub(super) fn set_sticky_cookie_lb_context(
headers: &mut HeaderMap,
context_from_lb: &LoadBalanceContext,
) -> Result<()> {
let sticky_cookie_string: String = context_from_lb.sticky_cookie.clone().try_into()?;
let new_header_val: HeaderValue = sticky_cookie_string.parse()?;
let expected_cookie_name = &context_from_lb.sticky_cookie.value.name;
match headers.entry(header::SET_COOKIE) {
header::Entry::Vacant(entry) => {
entry.insert(new_header_val);
}
header::Entry::Occupied(mut entry) => {
let mut flag = false;
for e in entry.iter_mut() {
if e.to_str().unwrap_or("").starts_with(expected_cookie_name) {
*e = new_header_val.clone();
flag = true;
}
}
if !flag {
entry.append(new_header_val);
}
}
};
Ok(())
}
/// default: overwrite HOST value with upstream hostname (like 192.168.xx.x seen from rpxy)
pub(super) fn override_host_header(headers: &mut HeaderMap, upstream_base_uri: &Uri) -> Result<()> {
let mut upstream_host = upstream_base_uri
.host()
.ok_or_else(|| anyhow!("No hostname is given"))?
.to_string();
// add port if it is not default
if let Some(port) = upstream_base_uri.port_u16() {
upstream_host = format!("{}:{}", upstream_host, port);
}
// overwrite host header, this removes all the HOST header values
headers.insert(header::HOST, HeaderValue::from_str(&upstream_host)?);
Ok(())
}
/// Apply options to request header, which are specified in the configuration
pub(super) fn apply_upstream_options_to_header(
headers: &mut HeaderMap,
// _client_addr: &SocketAddr,
upstream: &UpstreamCandidates,
// _upstream_base_uri: &Uri,
) -> Result<()> {
for opt in upstream.options.iter() {
match opt {
UpstreamOption::DisableOverrideHost => {
// simply remove HOST header value
headers
.remove(header::HOST)
.ok_or_else(|| anyhow!("Failed to remove host header in disable_override_host option"))?;
}
UpstreamOption::UpgradeInsecureRequests => {
// add upgrade-insecure-requests in request header if not exist
headers
.entry(header::UPGRADE_INSECURE_REQUESTS)
.or_insert(HeaderValue::from_bytes(&[b'1']).unwrap());
}
_ => (),
}
}
Ok(())
}
/// Append header entry with comma according to [RFC9110](https://datatracker.ietf.org/doc/html/rfc9110)
pub(super) fn append_header_entry_with_comma(headers: &mut HeaderMap, key: &str, value: &str) -> Result<()> {
match headers.entry(HeaderName::from_bytes(key.as_bytes())?) {
header::Entry::Vacant(entry) => {
entry.insert(value.parse::<HeaderValue>()?);
}
header::Entry::Occupied(mut entry) => {
// entry.append(value.parse::<HeaderValue>()?);
let mut new_value = Vec::<u8>::with_capacity(entry.get().as_bytes().len() + 2 + value.len());
new_value.put_slice(entry.get().as_bytes());
new_value.put_slice(&[b',', b' ']);
new_value.put_slice(value.as_bytes());
entry.insert(HeaderValue::from_bytes(&new_value)?);
}
}
Ok(())
}
/// Add header entry if not exist
pub(super) fn add_header_entry_if_not_exist(
headers: &mut HeaderMap,
key: impl Into<Cow<'static, str>>,
value: impl Into<Cow<'static, str>>,
) -> Result<()> {
match headers.entry(HeaderName::from_bytes(key.into().as_bytes())?) {
header::Entry::Vacant(entry) => {
entry.insert(value.into().parse::<HeaderValue>()?);
}
header::Entry::Occupied(_) => (),
};
Ok(())
}
/// Overwrite header entry if exist
pub(super) fn add_header_entry_overwrite_if_exist(
headers: &mut HeaderMap,
key: impl Into<Cow<'static, str>>,
value: impl Into<Cow<'static, str>>,
) -> Result<()> {
match headers.entry(HeaderName::from_bytes(key.into().as_bytes())?) {
header::Entry::Vacant(entry) => {
entry.insert(value.into().parse::<HeaderValue>()?);
}
header::Entry::Occupied(mut entry) => {
entry.insert(HeaderValue::from_bytes(value.into().as_bytes())?);
}
}
Ok(())
}
/// Align cookie values in single line
/// Sometimes violates [RFC6265](https://www.rfc-editor.org/rfc/rfc6265#section-5.4) (for http/1.1).
/// This is allowed in RFC7540 (for http/2) as mentioned [here](https://stackoverflow.com/questions/4843556/in-http-specification-what-is-the-string-that-separates-cookies).
pub(super) fn make_cookie_single_line(headers: &mut HeaderMap) -> Result<()> {
let cookies = headers
.iter()
.filter(|(k, _)| **k == header::COOKIE)
.map(|(_, v)| v.to_str().unwrap_or(""))
.collect::<Vec<_>>()
.join("; ");
if !cookies.is_empty() {
headers.remove(header::COOKIE);
headers.insert(header::COOKIE, HeaderValue::from_bytes(cookies.as_bytes())?);
}
Ok(())
}
/// Add forwarding headers like `x-forwarded-for`.
pub(super) fn add_forwarding_header(
headers: &mut HeaderMap,
client_addr: &SocketAddr,
listen_addr: &SocketAddr,
tls: bool,
uri_str: &str,
) -> Result<()> {
// default process
// optional process defined by upstream_option is applied in fn apply_upstream_options
let canonical_client_addr = client_addr.to_canonical().ip().to_string();
append_header_entry_with_comma(headers, "x-forwarded-for", &canonical_client_addr)?;
// Single line cookie header
// TODO: This should be only for HTTP/1.1. For 2+, this can be multi-lined.
make_cookie_single_line(headers)?;
/////////// As Nginx
// If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
// scheme used to connect to this server
add_header_entry_if_not_exist(headers, "x-forwarded-proto", if tls { "https" } else { "http" })?;
// If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
// server port the client connected to
add_header_entry_if_not_exist(headers, "x-forwarded-port", listen_addr.port().to_string())?;
/////////// As Nginx-Proxy
// x-real-ip
add_header_entry_overwrite_if_exist(headers, "x-real-ip", canonical_client_addr)?;
// x-forwarded-ssl
add_header_entry_overwrite_if_exist(headers, "x-forwarded-ssl", if tls { "on" } else { "off" })?;
// x-original-uri
add_header_entry_overwrite_if_exist(headers, "x-original-uri", uri_str.to_string())?;
// proxy
add_header_entry_overwrite_if_exist(headers, "proxy", "")?;
Ok(())
}
/// Remove connection header
pub(super) fn remove_connection_header(headers: &mut HeaderMap) {
if let Some(values) = headers.get(header::CONNECTION) {
if let Ok(v) = values.clone().to_str() {
for m in v.split(',') {
if !m.is_empty() {
headers.remove(m.trim());
}
}
}
}
}
/// Hop header values which are removed at proxy
const HOP_HEADERS: &[&str] = &[
"connection",
"te",
"trailer",
"keep-alive",
"proxy-connection",
"proxy-authenticate",
"proxy-authorization",
"transfer-encoding",
"upgrade",
];
/// Remove hop headers
pub(super) fn remove_hop_header(headers: &mut HeaderMap) {
HOP_HEADERS.iter().for_each(|key| {
headers.remove(*key);
});
}
/// Extract upgrade header value if exist
pub(super) fn extract_upgrade(headers: &HeaderMap) -> Option<String> {
if let Some(c) = headers.get(header::CONNECTION) {
if c
.to_str()
.unwrap_or("")
.split(',')
.any(|w| w.trim().to_ascii_lowercase() == header::UPGRADE.as_str().to_ascii_lowercase())
{
if let Some(u) = headers.get(header::UPGRADE) {
if let Ok(m) = u.to_str() {
debug!("Upgrade in request header: {}", m);
return Some(m.to_owned());
}
}
}
}
None
}

71
rpxy-lib/src/message_handler/utils_request.rs Normal file
View file

@ -0,0 +1,71 @@
use crate::backend::{UpstreamCandidates, UpstreamOption};
use anyhow::{anyhow, ensure, Result};
use http::{header, Request};
/// Trait defining parser of hostname
/// Inspect and extract hostname from either the request HOST header or request line
pub trait InspectParseHost {
type Error;
fn inspect_parse_host(&self) -> Result<Vec<u8>, Self::Error>;
}
impl<B> InspectParseHost for Request<B> {
type Error = anyhow::Error;
/// Inspect and extract hostname from either the request HOST header or request line
fn inspect_parse_host(&self) -> Result<Vec<u8>> {
let drop_port = |v: &[u8]| {
if v.starts_with(&[b'[']) {
// v6 address with bracket case. if port is specified, always it is in this case.
let mut iter = v.split(|ptr| ptr == &b'[' || ptr == &b']');
iter.next().ok_or(anyhow!("Invalid Host header"))?; // first item is always blank
iter.next().ok_or(anyhow!("Invalid Host header")).map(|b| b.to_owned())
} else if v.len() - v.split(|v| v == &b':').fold(0, |acc, s| acc + s.len()) >= 2 {
// v6 address case, if 2 or more ':' is contained
Ok(v.to_owned())
} else {
// v4 address or hostname
v.split(|colon| colon == &b':')
.next()
.ok_or(anyhow!("Invalid Host header"))
.map(|v| v.to_ascii_lowercase())
}
};
let headers_host = self.headers().get(header::HOST).map(|v| drop_port(v.as_bytes()));
let uri_host = self.uri().host().map(|v| drop_port(v.as_bytes()));
// let uri_port = self.uri().port_u16();
// prioritize server_name in uri
match (headers_host, uri_host) {
(Some(Ok(hh)), Some(Ok(hu))) => {
ensure!(hh == hu, "Host header and uri host mismatch");
Ok(hh)
}
(Some(Ok(hh)), None) => Ok(hh),
(None, Some(Ok(hu))) => Ok(hu),
_ => Err(anyhow!("Neither Host header nor uri host is valid")),
}
}
}
////////////////////////////////////////////////////
// Functions to manipulate request line
/// Apply upstream options in request line, specified in the configuration
pub(super) fn apply_upstream_options_to_request_line<B>(
req: &mut Request<B>,
upstream: &UpstreamCandidates,
) -> anyhow::Result<()> {
for opt in upstream.options.iter() {
match opt {
UpstreamOption::ForceHttp11Upstream => *req.version_mut() = hyper::Version::HTTP_11,
UpstreamOption::ForceHttp2Upstream => {
// case: h2c -> https://www.rfc-editor.org/rfc/rfc9113.txt
// Upgrade from HTTP/1.1 to HTTP/2 is deprecated. So, http-2 prior knowledge is required.
*req.version_mut() = hyper::Version::HTTP_2;
}
_ => (),
}
}
Ok(())
}